Vulnerability Description
CODESYS V3 web server, all versions prior to 3.5.14.10, allows an attacker to send specially crafted http or https requests which may allow access to files outside the restricted working directory of the controller.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Codesys | Control For Beaglebone | < 3.5.14.10 |
| Codesys | Control For Empc-A\/Imx6 | < 3.5.14.10 |
| Codesys | Control For Iot2000 | < 3.5.14.10 |
| Codesys | Control For Linux | < 3.5.14.10 |
| Codesys | Control For Pfc100 | < 3.5.14.10 |
| Codesys | Control For Pfc200 | < 3.5.14.10 |
| Codesys | Control For Raspberry Pi | < 3.5.14.10 |
| Codesys | Control Rte | >= 3.5.8.60, < 3.5.12.80 |
| Codesys | Control Runtime System Toolkit | >= 3.0, < 3.5.12.80 |
| Codesys | Control Win | >= 3.5.9.80, <= 3.5.12.80 |
| Codesys | Embedded Target Visu Toolkit | >= 3.0, < 3.5.12.80 |
| Codesys | Hmi | >= 3.5.10.0, < 3.5.12.80 |
| Codesys | Remote Target Visu Toolkit | >= 3.0, < 3.5.12.80 |
Related Weaknesses (CWE)
References
- https://www.us-cert.gov/ics/advisories/icsa-19-255-01MitigationPatchThird Party Advisory
- https://www.us-cert.gov/ics/advisories/icsa-19-255-01MitigationPatchThird Party Advisory
FAQ
What is CVE-2019-13532?
CVE-2019-13532 is a vulnerability with a CVSS score of 7.5 (HIGH). CODESYS V3 web server, all versions prior to 3.5.14.10, allows an attacker to send specially crafted http or https requests which may allow access to files outside the restricted working directory of ...
How severe is CVE-2019-13532?
CVE-2019-13532 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-13532?
Check the references section above for vendor advisories and patch information. Affected products include: Codesys Control For Beaglebone, Codesys Control For Empc-A\/Imx6, Codesys Control For Iot2000, Codesys Control For Linux, Codesys Control For Pfc100.